RE:Pre-draft: SEAL as an IPv6 extension header (was:Fragmentation-related Security issues)
Sreenatha setty <sreenatha.b@huawei.com> Thu, 12 January 2012 04:42 UTC
Return-Path: <sreenatha.b@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7D6611E8085 for <ipv6@ietfa.amsl.com>; Wed, 11 Jan 2012 20:42:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.867
X-Spam-Level:
X-Spam-Status: No, score=-5.867 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_MED=-4, SARE_UNSUB18=0.131]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mnz5281OAI5q for <ipv6@ietfa.amsl.com>; Wed, 11 Jan 2012 20:42:39 -0800 (PST)
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [119.145.14.64]) by ietfa.amsl.com (Postfix) with ESMTP id C216411E8072 for <ipv6@ietf.org>; Wed, 11 Jan 2012 20:42:37 -0800 (PST)
Received: from huawei.com (szxga05-in [172.24.2.49]) by szxga05-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LXO002RW52TP2@szxga05-in.huawei.com> for ipv6@ietf.org; Thu, 12 Jan 2012 12:42:30 +0800 (CST)
Received: from szxrg02-dlp.huawei.com ([172.24.2.119]) by szxga05-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LXO00DBU52T0K@szxga05-in.huawei.com> for ipv6@ietf.org; Thu, 12 Jan 2012 12:42:29 +0800 (CST)
Received: from szxeml206-edg.china.huawei.com ([172.24.2.119]) by szxrg02-dlp.huawei.com (MOS 4.1.9-GA) with ESMTP id AGG54127; Thu, 12 Jan 2012 12:42:27 +0800
Received: from SZXEML424-HUB.china.huawei.com (10.82.67.163) by szxeml206-edg.china.huawei.com (172.24.2.58) with Microsoft SMTP Server (TLS) id 14.1.323.3; Thu, 12 Jan 2012 12:42:20 +0800
Received: from blrnshtipl6nc (10.18.1.36) by szxeml424-hub.china.huawei.com (10.82.67.163) with Microsoft SMTP Server id 14.1.323.3; Thu, 12 Jan 2012 12:42:15 +0800
Date: Thu, 12 Jan 2012 10:12:20 +0530
From: Sreenatha setty <sreenatha.b@huawei.com>
Subject: RE:Pre-draft: SEAL as an IPv6 extension header (was:Fragmentation-related Security issues)
In-reply-to: <mailman.526.1326218033.3200.ipv6@ietf.org>
X-Originating-IP: [10.18.1.36]
To: fltemplin@acm.org
Message-id: <92EEFBAB064A4B508D8BC51BB2EDE5DF@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.3790.4841
X-Mailer: Microsoft Office Outlook 11
Content-type: multipart/alternative; boundary="Boundary_(ID_biNmD6wW8hkvRDQEj+qFKw)"
Thread-index: AczPwPxFwR0OCeD1QD6yh2Vu5aRz1wBH+RQg
X-CFilter-Loop: Reflected
X-Mailman-Approved-At: Thu, 12 Jan 2012 03:37:41 -0800
Cc: ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jan 2012 04:48:51 -0000
Hi Fred,
I went through SEAL as an IPv6 extension header draft. I have some
comments on the drafts.
1. SEAL IPv6 extension header functionality is similar to AH
header functionality which is already standardized in RFC 2402(IP
Authentication Header). AH header also calculates the ICV of the packet
[Section 3.3.3.1.2 ICV Computation for IPv6 in RFC 2402] which is used to
check the integrity of the packet. So what is the advantage of using SEAL
header over AH header?
2. Security Consideration section of the draft contains two spelling
mistakes:
" 4. Security Considerations
The SEAL extension header can be used to verify that ICMPv6
messages
wre delivered by an on-path router and not an off-path attacker.
The
header may also be used fro other authenticating purposes, e.g.,
if
the destination shares a symmetric secret key with the source then
the destination can verify that messages actually came from the
source. The packet identification field can also be used for
anti-
replay sequencing."
Thanks & Regards,
Sreenatha Setty
sreenathabs@huawei.com
-----Original Message-----
From: ipv6-bounces@ietf.org [mailto:ipv6-bounces@ietf.org] On Behalf Of
ipv6-request@ietf.org
Sent: Tuesday, January 10, 2012 11:24 PM
To: ipv6@ietf.org
Subject: ipv6 Digest, Vol 93, Issue 25
If you have received this digest without all the individual message
attachments you will need to update your digest options in your list
subscription. To do so, go to
https://www.ietf.org/mailman/listinfo/ipv6
Click the 'Unsubscribe or edit options' button, log in, and set "Get
MIME or Plain Text Digests?" to MIME. You can set this option
globally for all the list digests you receive at this point.
Send ipv6 mailing list submissions to
ipv6@ietf.org
To subscribe or unsubscribe via the World Wide Web, visit
https://www.ietf.org/mailman/listinfo/ipv6
or, via email, send a message with subject or body 'help' to
ipv6-request@ietf.org
You can reach the person managing the list at
ipv6-owner@ietf.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ipv6 digest..."
Today's Topics:
1. Re: Non-traditional PMTUD [was Re: Fragmentation-related
security issues] (Brian E Carpenter)
2. Re: Fragmentation-related security issues (Brian E Carpenter)
3. Re: Fragmentation-related security issues (Fernando Gont)
4. AD review of draft-ietf-6man-3627-historic (Jari Arkko)
5. Last Call: <draft-ietf-6man-3627-historic-01.txt> (RFC3627 to
Historic status) to Informational RFC (The IESG)
6. Pre-draft: SEAL as an IPv6 extension header (was:
Fragmentation-related Security issues) (Templin, Fred L)
----------------------------------------------------------------------
Message: 1
Date: Tue, 10 Jan 2012 09:40:45 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
To: Fred Baker <fred@cisco.com>
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
Subject: Re: Non-traditional PMTUD [was Re: Fragmentation-related
security issues]
Message-ID: <4F0B50CD.4020209@gmail.com>
Content-Type: text/plain; charset=UTF-8
On 2012-01-10 06:08, Fred Baker wrote:
> On Jan 6, 2012, at 8:26 PM, Fernando Gont wrote:
>
>> I just said that PLPMTU has a long convergence time
>
> Frankly, that sounds like an implementation issue. If we're willing to set
IW=10, it seems like one should be able to send the initial burst, or at
least the first retransmission, with messages of several sizes and see what
works. In other words, if the MSS is 9K (I wish), send a 9K, a 4K, a 1500
byte IP datagram (eg 1440 byte payload), and 1280. If we get an Ack in the
subsequent RTT acknowledging 8192 bytes, we learned something, and if the
only Ack acknowledges 1280, we learned something.
Right. And the point Fernando queried in my previous message was
simply trying to say "happy eyeballs doesn't do this" - it will leave
the user hanging if TCP connects but PMTUD or MSS negotiation fails.
Brian
------------------------------
Message: 2
Date: Tue, 10 Jan 2012 09:49:39 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: Brian Haberman <brian@innovationslab.net>, ipv6@ietf.org
Subject: Re: Fragmentation-related security issues
Message-ID: <4F0B52E3.9000003@gmail.com>
Content-Type: text/plain; charset=UTF-8
On 2012-01-09 22:37, Fernando Gont wrote:
> On 01/09/2012 05:32 AM, Florian Weimer wrote:
>>>> The ULA will have no meaning for ICMP messages that leave the
>>>> administrative domain.
>>> That doesn't matter,
>> How do you implement BCP38 filters if the address lacks clear ownership?
>
> Same thing would happen as it currently happens with ICMP error messages
> sourced from private addresses: some get "mysteriously" dropped. -- i.e.
> using ULAs for the source address of ICMPv6 messages seems like a very
> bad idea.
It's a bad idea, but using link-local is even worse, because those
MUST be dropped.
I don't think ULAs will be stopped by ingress filters in the case that
people over on v6ops were complaining about, where ICMP echo replies
were sent by ISP-internal routers. ULAs will be stopped by ingress
filters if a customer site uses them for ICMP replies.
We agree that using a globally routeable address is best.
Brian
------------------------------
Message: 3
Date: Mon, 09 Jan 2012 12:42:50 -0300
From: Fernando Gont <fernando@gont.com.ar>
To: "Templin, Fred L" <Fred.L.Templin@boeing.com>
Cc: Brian Haberman <brian@innovationslab.net>, "ipv6@ietf.org"
<ipv6@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: Fragmentation-related security issues
Message-ID: <4F0B0AFA.3070207@gont.com.ar>
Content-Type: text/plain; charset=ISO-8859-1
On 01/09/2012 12:18 PM, Templin, Fred L wrote:
>> Same thing would happen as it currently happens with ICMP
>> error messages
>> sourced from private addresses: some get "mysteriously"
>> dropped. -- i.e.
>> using ULAs for the source address of ICMPv6 messages seems like a very
>> bad idea.
>
> What I care most about is the value of the source address
> from the perspecive of the ICMP message recipient.
That depends on what you're using ICMP for. If it's for troubleshootinf
(ping, traceroute, etc.), the Source Address has some value. If the
ICMPs are meant to be processed by a transport layer (as in PMTUD), the
the Source Address is of no value (it could correspond to the address of
any intervenning router, and since virtually every router could be an
"intervenning router", you cannoT "validate" the source address.
> I think
> no matter the source address scope, the recipinet cannot
> use the source address alone as a means of authenticating
> the ICMP, since there is no guarantee that BCP38 is
> universally implemented. Right?
Right. See RFC 5927.
Thanks,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
------------------------------
Message: 4
Date: Tue, 10 Jan 2012 16:55:19 +0200
From: Jari Arkko <jari.arkko@piuha.net>
To: draft-ietf-6man-3627-historic@tools.ietf.org, IETF IPv6 Mailing
List <ipv6@ietf.org>
Subject: AD review of draft-ietf-6man-3627-historic
Message-ID: <4F0C5157.3020009@piuha.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
I have reviewed this document, and as it obviously was ready to be moved
forward, asked for an IETF Last Call to be initiated. Thanks for writing the
document.
Jari
------------------------------
Message: 5
Date: Tue, 10 Jan 2012 08:00:47 -0800
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: ipv6@ietf.org
Subject: Last Call: <draft-ietf-6man-3627-historic-01.txt> (RFC3627 to
Historic status) to Informational RFC
Message-ID: <20120110160047.14784.28475.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="us-ascii"
The IESG has received a request from the IPv6 Maintenance WG (6man) to
consider the following document:
- 'RFC3627 to Historic status'
<draft-ietf-6man-3627-historic-01.txt> as an Informational RFC
The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2012-01-24. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.
Abstract
This document moves RFC3627 (Use of /127 Prefix Length Between
Routers Considered Harmful) to HISTORIC status to reflect the updated
guidance contained in RFC6164 (Using 127-Bit IPv6 Prefixes on Inter-
Router Links). While a standards track document already supersedes
an informational document and therefore RFC6164 is the appropriate
guidance to follow when the two documents are in conflict, this links
the two documents so that it is clearer that the IETF has updated
guidance on the matter.
The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-6man-3627-historic/
IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-6man-3627-historic/
No IPR declarations have been submitted directly on this I-D.
------------------------------
Message: 6
Date: Tue, 10 Jan 2012 09:53:43 -0800
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: "ipv6@ietf.org" <ipv6@ietf.org>
Subject: Pre-draft: SEAL as an IPv6 extension header (was:
Fragmentation-related Security issues)
Message-ID:
<E1829B60731D1740BB7A0626B4FAF0A65C79362394@XCH-NW-01V.nw.nos.boeing.com>
Content-Type: text/plain; charset="us-ascii"
Please see below for a pre-draft for using the Subnetwork
Encapsulation and Adaptation Layer (SEAL) as an IPv6 extension
header. This extension header can be used by the source to
defeat off-path spoofing of ICMPv6 error messages. When the
source and destination share a secret symmetric key used for
calculating the integrity check vector, the extension header
also provides the destination with data origin authentication
and anti-replay.
Please send any comments to the list,
Fred
fred.l.templin@boeing.com
--- cut here ---
Network Working Group F. Templin, Ed.
Internet-Draft Boeing Research & Technology
Intended status: Informational January 10, 2012
Expires: July 13, 2012
The SEAL IPv6 Extension Header
draft-templin-sealopt.txt
Abstract
The Subnetwork Encapsulation and Adaptation Layer (SEAL) provides a
mid-layer header designed for the encapsulation of an inner network
layer packet within outer network layer headers. SEAL also supports
a transport mode of operation, where the inner payload corresponds to
an ordinary transport layer payload. However, SEAL can also provide
benefit when used as an IPv6 extension header. Namely, the SEAL
header when used as an extension header contains a digital signature
(inserted by the source) that covers the leading 128 bytes of the
payload beginning with the SEAL header itself. The source can
thereafter use the digital signature to verify that any ICMPv6
mesages received actually came from a router on the path.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 13, 2012.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
Templin Expires July 13, 2012 [Page 1]
Internet-Draft SEAL January 2012
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. SEAL IPv6 Extension Header . . . . . . . . . . . . . . . . . . 3
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . . 4
5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 4
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 4
6.1. Normative References . . . . . . . . . . . . . . . . . . . 4
6.2. Informative References . . . . . . . . . . . . . . . . . . 5
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 5
Templin Expires July 13, 2012 [Page 2]
Internet-Draft SEAL January 2012
1. Introduction
The Subnetwork Encapsulation and Adaptation Layer (SEAL)
[I-D.templin-intarea-seal] provides a mid-layer encapsulation
designed for the encapsulation of an inner network layer packet
within outer network layer headers. SEAL also supports a transport
mode of operation, where the encapsulated payload corresponds to an
ordinary transport layer protocol payload. It is in essence a close
analogy of the GRE encapsulation format [RFC1701].
However, SEAL can also provide benefit when used as an IPv6 extension
header [RFC2460]. Namely, the SEAL header when used as an IPv6
extension header contains a digital signature (inserted by the
source) that covers the leading 128 bytes of the payload beginning
with the SEAL header itself. The source can thereafter use the
digital signature to verify that any ICMPv6 mesages received actually
came from a router on the path.
2. SEAL IPv6 Extension Header
The SEAL IPv6 extension header is formatted as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header |Hdr Ext Len = 2| SEAL Header (format TBD) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Integrity Check Vector (ICV) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: SEAL IPv6 Extension Header Format
Next Header (8) an 8-bit field that encodes the next header Internet
Protocol number the same as for the IPv4 protocol and IPv6 next
header fields.
Next Header Length (8) an 8-bit length of the extension header
measured in 8-byte words. Set to 2.
SEAL Header (16)
a 16-bit field that controls the operation of SEAL. Format TBD.
Templin Expires July 13, 2012 [Page 3]
Internet-Draft SEAL January 2012
Identification (32)
a 32-bit per-packet identification field. Set to a monotonically-
incrementing 32-bit value for each SEAL packet transmitted,
beginning with 0.
Integrity Check Vector (ICV) (32)
a 32-bit header integrity check value. Covers the leading 128
bytes of the packet beginning with the SEAL extension header (or
up to the end of the packet). The value 128 is chosen so that at
least the SEAL header as well as the inner packet network and
transport layer headers are covered by the integrity check.
The IPv6 source inserts a SEAL extension header whenever it wants to
ensure that any resulting ICMPv6 error messages [RFC4443] came from a
router on the path and not from an off-path attacker. When the
source receives an ICMPv6 error message, it verifies that the ICV
value is correct based on a secret hashing algorithm of its choosing.
The source should choose a hashing algorithm that would make it
virtually impossible for an off-path attacker to guess.
3. IANA Considerations
The IANA is instructed to allocate an IPv6 extension header for SEAL.
4. Security Considerations
The SEAL extension header can be used to verify that ICMPv6 messages
wre delivered by an on-path router and not an off-path attacker. The
header may also be used fro other authenticating purposes, e.g., if
the destination shares a symmetric secret key with the source then
the destination can verify that messages actually came from the
source. The packet identification field can also be used for anti-
replay sequencing.
5. Acknowledgments
TBD.
6. References
6.1. Normative References
[I-D.templin-intarea-seal]
Templin, F., "The Subnetwork Encapsulation and Adaptation
Templin Expires July 13, 2012 [Page 4]
Internet-Draft SEAL January 2012
Layer (SEAL)", draft-templin-intarea-seal-42 (work in
progress), December 2011.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998.
[RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control
Message Protocol (ICMPv6) for the Internet Protocol
Version 6 (IPv6) Specification", RFC 4443, March 2006.
6.2. Informative References
[RFC1701] Hanks, S., Li, T., Farinacci, D., and P. Traina, "Generic
Routing Encapsulation (GRE)", RFC 1701, October 1994.
Author's Address
Fred L. Templin (editor)
Boeing Research & Technology
P.O. Box 3707
Seattle, WA 98124
USA
Email: fltemplin@acm.org
Templin Expires July 13, 2012 [Page 5]
------------------------------
_______________________________________________
ipv6 mailing list
ipv6@ietf.org
https://www.ietf.org/mailman/listinfo/ipv6
End of ipv6 Digest, Vol 93, Issue 25
************************************
- RE:Pre-draft: SEAL as an IPv6 extension header (w… Sreenatha setty
- RE: RE:Pre-draft: SEAL as an IPv6 extension heade… Templin, Fred L